Azure-docs: Service Endpoints don't appear to be working with the new VNET integration

@NateB2 Thanks for the question! We are investigating and will update you shortly.

@NateB2 Thanks again for the question! For specific services, refer to Limitations During preview, service endpoint policies are not supported for any managed Azure services that are deployed into your virtual network.
You may refer this doc: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview

I'm not using any service endpoint policies. I'm just enabling the service endpoints to the same subnet as I've assigned the app service vnet preview.

In summary, I restricted the key vault and storage account to a subnet, enabled the service endpoints (not the policies, just the service endpoints) for key vault and storage account in that subnet, and then I used the vnet preview wizard in my app service to link the app service to the subnet where I assigned the key vault and storage account. That setup is not working - I get unauthorized errors every time the app service tries to access key vault or the storage account.

@NateB2 Thanks for the clarification. Could you please send an email to AzCommunity[at]Microsoft[dot]com referencing this GitHub issue, we would like to work closer with you on this matter.
Since we will work with you offline, we will now proceed to close this thread.

@SnehaAgrawal-MSFT could you please reopen this issue and include me in the collaboration?

I am having a similar issue in https://github.com/MicrosoftDocs/azure-docs/issues/28461

cc @ccompy

Has anyone had any success implementing this? If you've managed to get it working we'd love to at least have someone acknowledge that it can work before investing further time on this. In my two attempts to implement this, I am able to use the documented steps to configure the new preview integration but I hit access issues. In my case the Azure SQL connection returns a connection error because the public IP address of the Azure App Service is not allowed to connect. I've tried adding firewall rules for the VNet subnet to see if that helped but it seems that the routing is still occurring through the public infrastructure rather than the VNET. Taking things offline to assist someone with issue identification is fine, it would help the rest of us if the underlying issue could be described as we're probably all reaching the same outcome.

Hi @NateB2,
Hi @hansmbakker,
Facing the issue as well when keeping Cosmos DB in Vnet and trying to access it from web app using P2S connection over VPN Gateway. I even tried with App Service Environment but didn't work.
Did you get any solution from Microsoft? Any alternative if this isn't possible?

Regards

I'm still experiencing this issue. According to these docs it should be possible, however CosmosDB is still denying the requests.

https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-vnet-service-endpoint

Are there any updates on this? We're trying to have an AppService connect to KeyVault using this methodology. We've found that by restarting the ServicePlan (change the pricing tier and put it back) it goes away most of the time but it pops up pretty much 100% of the time we create a new AppService.

From the investigating we've been doing there is something going on with the routing where the API call to KeyVault comes from the AppService's public IP (which is blocked) instead of going through the VNet with a private IP.

I have a support ticket open with MS currently but they seem a little stumped as to what is going on.

Yeah I feel like I'm getting the same issue with azure storage and a service endpoint. I've opened a support ticket (a few days ago) and havent received any response yet. Hopefully Microsoft can shed some light on this...